Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Dating direct: ♥♥♥ ♥♥♥
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❶❶❶ ❶❶❶
    Are you sure you want to  Yes  No
    Your message goes here


  1. 1. SHA3Reporter: Jyun-Yao Huang ( June 4th, 20131SHA3
  2. 2. Outline• Introduction• SHA3• Security Analysis• Experiments• Conclusion2SHA3
  3. 3. Introduction• In 2005, Wang et al. introduced serious concerns about thesecurity of SHA-1.• NIST opened a public competition on November 2, 2007, todevelop a new cryptographic hash algorithm (referred to asSHA-3) to augment the hash algorithms specified in FederalInformation Processing Standard (FIPS) 180-2, Secure HashStandard• 1st -round: 51 candidates in 2008.• 2nd-round: 14 candidates in 2009.• 3rd -round: 5 candidates in 2010.SHA3 3
  4. 4. Introduction: Keccak wins!• Keccak (Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.)announced as the SHA-3 winner on October 2, 2012SHA3 4Table 1: The five final candidates of SHA3
  5. 5. The Keccak Team• Michaël Peeters, Guido Bertoni, Gilles Van Assche and Joan Daemen.SHA3 5
  6. 6. Introduction: The Beginning Ideas of Keccak• RADIOGATUN [NIST 2nd Work shop, 2006]• Variable-length output• Expressing security claim: non-trivial exercise• But, neither did third-party cryptanalysis• NIST SHA-3 deadline approaching …• U-turn: design a sponge with strong permutation f• Sponge functions• closest thing to a random oracle with a finite state• Sponge construction calling random permutationSHA3 6
  7. 7. SHA3• Sponge Construction• Keccak Functions• Keccak-f Permutation• The algorithms of each operationsSHA3 7
  8. 8. Sponge Construction• SPONGE[f, pad, r]• f: fixed-length permutation which operates b bits.• pad: padding rule which is denoted by M||pad[b](|M|), where M is the signof message.• r: bit rate.• c:capacity equals to b – r and c<bSHA3 8
  9. 9. Sponge Construction(2)SHA3 9Absorbing PhaseSqueezing Phase
  10. 10. KECCAK Functions• By default, c=576 , b=1600, nr=24.SHA3 10
  11. 11. The KECCAK-f permutation(1)• KECCAK([ ] ) is a family of sponge functions that use asa building block a permutation from a set of 7 permutations.• The 7 permutations indicated by KECCAK-f[b], where b=25×2land l ranges from 0~6. KECCAK-f[b] is a permutation over .• Three dimension array on state a over GF(2), namely a[5][5][w],where w = 2l.• a[x][y][z]: x, y Z5 and z Zw.• The mapping between bits of s and a is• The 7 permutations(b): {25, 50, 100, 200,400, 800, 1600}SHA3 11
  12. 12. Keccak-f StateSHA3 12
  13. 13. The KECCAK-f permutation(2)• KECCAK-f[b] is an iterated permutation with a number ofrounds R, indexed by 0 to nr-1SHA3 13
  14. 14. Algorithm of θ• Without θ, the KECCAK-f function would not providediffusion of any significance.• High average diffusion and low gate count: 2 XORs per bit.SHA3 14
  15. 15. Algorithm of θSHA3 15
  16. 16. Algorithm of ρSHA3 16
  17. 17. Algorithm of πSHA3 17
  18. 18. Algorithm of χ• χ is the only non-linear mapping in Keccak-f.• It could be implementable in parallel computing.• It has algebraic degree 2, but the inverse may not be degree 2.SHA3 18
  19. 19. Algorithm of ι• It is aimed at disrupting symmetry.• Without it, the round function would be translation-invariant inthe z direction and all rounds would be equal making Keccak-fsubject to attacks exploiting symmetry such as slide attacks.SHA3 19
  20. 20. The KECCAK-f permutation(3)• Addition and multiplications are in GF(2) except RC[ir].• are defined as the output of LFSR(linearfeedback shift register.)• Note that nr = 12 + 2lSHA3 20
  21. 21. The all proceduresSHA3 21
  22. 22. The all procedures (cont.)SHA3 22
  23. 23. The all procedures (cont.)SHA3 23
  24. 24. The candidates of SHA3SHA3 24
  25. 25. SecurityAnalysis• Immunity of Generic Attacks:• Given capacity c, the success probability is lower than1- exp(-N(N+1)2-(c+1)) with N the number of calls to the underlyingpermutation or its reverse. If 1<< N << 2c/2, this bounds simplifies to2-(c+1)N2.• The zero-sum distinguisher distinguisher for all 24 rounds hasthe complexity of 21579SHA3 25
  26. 26. Experiments: Hardware• In Intel 8051 8-bits processor, 8-bits data bus, a 16-bit addressbus and 512 bytes RAM: 128 bytes for lower internal RAM,128 bytes for higher internal RAM and 256 bytes of externalRAM (indirect access only)SHA3 26
  27. 27. Experiments: My Experiment• Platform• CPU: i5-2450m RAM: 8GB• Programming language : Microsoft C#• Testing Data: the message with 1, 10, 100 million bytes.• It runs 10 times and extracts the average values.• Algorithms for testing: MD5, SHA256, SHA3-51227SHA3Case(bytes) MD5 SHA256 SHA3-5121 million 1.56001 31.20007 118.5601910 million 35.88007 110.7602 1180.92206100 million 352.56065 1098.24191 12124.34128Table 2: The experimental result in milliseconds
  28. 28. Conclusions• SHA3 is the next hash function in the future. It can provide asecure scheme which provides the closest thing to a randomoracle with a finite state.• It’s more slower than SHA256.• However, it provides a good hardware design architecture tomake manufactures implement it.SHA3 28
  29. 29. Reference• Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccaksponge function family main document,• Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles VanAssche,” The Keccak sponge function family”,• Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles VanAssche,” Keccak implementation overview”, 29
  30. 30. Appendices: Zero-Sum DistinguisherSHA3 30